diff options
| author | Linus Heckemann <git@sphalerite.org> | 2020-02-28 10:50:43 +0100 |
|---|---|---|
| committer | Linus Heckemann <git@sphalerite.org> | 2020-03-10 15:54:02 +0100 |
| commit | cc9a4c8a06bba3c49323a9eb5df18fca4641acfc (patch) | |
| tree | 1586d84d6fdd58da6690fbff65927f0f31316166 | |
| parent | 3f11ceb4177e4f3abec066dee47fbd331698830c (diff) | |
freeradius: do not generate TLS stuff
| -rw-r--r-- | pkgs/servers/freeradius/default.nix | 10 |
1 files changed, 10 insertions, 0 deletions
diff --git a/pkgs/servers/freeradius/default.nix b/pkgs/servers/freeradius/default.nix index f5c5d26ad470..c7d6c509f098 100644 --- a/pkgs/servers/freeradius/default.nix +++ b/pkgs/servers/freeradius/default.nix @@ -81,9 +81,19 @@ stdenv.mkDerivation rec { substituteInPlace src/main/checkrad.in --replace "/usr/bin/finger" "${finger_bsd}/bin/finger" ''; + # By default, freeradius will generate Diffie-Hellman parameters and + # self-signed TLS certificates during installation. We don't want + # this, for several reasons: + # - reproducibility (random generation) + # - we don't want _anybody_ to use a cert where the private key is on our public binary cache! + # - we don't want the certs to change each time the package is rebuilt + # So let's avoid anything getting into our output. + makeFlags = [ "LOCAL_CERT_FILES=" ]; + installFlags = [ "sysconfdir=\${out}/etc" "localstatedir=\${TMPDIR}" + "INSTALL_CERT_FILES=" # see comment at makeFlags ]; outputs = [ "out" "dev" "man" "doc" ]; |